Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

Thanks for the update, my main relay was vulnerable but i've patched it now to 0.2.8.9. My Raspberry Pi is running 0.2.5.12 -- is that ok?
just a reminder since most of the tor network (including some of the biggest operators) still runs vulnerable relays
https://blog.torproject.org/blog/tor-0289-released-important-fixes
Since 2/3 directory authorities removed most vulnerable versions from their 'recommended versions' you should see a log entry if you run outdated versions (except if you run 0.2.5.12).
It is not possible to reliable determine the exact CW fraction affected[1] due to the fact that patches were released that didn't increase tor's version number. Therefore it is also possible that you get log entries even if you run a patched version (IMHO this hasn't been handled in the most professional way).
Update instructions
Debian/Ubuntu ==============
make sure you use the Torproject repository: https://www.torproject.org/docs/debian.html.en
(you can also use the debian repository but the Torproject's repo will provide you with the latest releases)
aptitude update && aptitude install tor
CentOS/RHEL/Fedora ===================
yum install --enablerepo=epel-testing tor
FreeBSD ============
pkg update pkg upgrade
OpenBSD ===========
pkg_add -u tor
Windows ========
No updated binaries available for this platform yet.
[1] as of 2016-10-25 18:00 (onionoo data) conservative estimate ---------------------- (counts only 0.2.8.9 and 0.2.9.4-alpha as patched) 31% CW fraction patched
optimistic estimate ------------------- (additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12, 0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched): 43% CW fraction patched
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Thanks for the update, my main relay was vulnerable but i've patched it now to 0.2.8.9.
My Raspberry Pi is running 0.2.5.12 -- is that ok?
If your version is from before 2016-10-17, your relay is vulnerable. To be sure you should be running 0.2.8.9.
participants (2)
-
Alan
-
nusenu